Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Revisited - Need help with IPSec tunnel periodically collapsing with 7206 to Linksys BEFVP41

Reply
Thread Tools

Revisited - Need help with IPSec tunnel periodically collapsing with 7206 to Linksys BEFVP41

 
 
Ted Mittelstaedt
Guest
Posts: n/a
 
      12-10-2004
Hi All,

I am posting some followup information on a post I made back in Sun, 18
Jul 2004 15:12:26 -0700,
titled "Need help with IPSec tunnel periodically collapsing". message ID
newscache$j0j21i$qs5$(E-Mail Removed)

I have some followup information on this:

Firat, we aren't using a VAM card in the 7206. I have also tried the most
current IOS and the problem
actually worsened. 12.1 seems to be the best release so far. I've tried
this with both ip cef
enabled or disabled, makes no difference.

The ACL on the 7206 and the BEFVP41 match, and they are a permit ip
statement, no permit
tcp or any of that.

The linksys does support keepalives and it is checked, it makes no
difference though what the
setting is.

Now for the new information,

I finally did setup a perl script that queries the remote linksys through
the VPN, if it cannot reach it,
the script sends the "clear crypto sa" command to the 7206. The script is
called out of cron once a
minute on a convenient UNIX system.

I have discovered that what seems to be the problem is when the key expires
(both the Linksys and
the 7206 have a key lifetime set to 3600 seconds, ie: 1 hour) that MOST of
the time the 7206
and the Linksys do correctly renegotiate the key and the VPN does not go
down.

But, every once in a while the Cisco doesen't renegotiate it, and the VPN
goes down - then a minute
later my script is clearing the ca and then the two devices do their
renegotiation and everything
is fine again.

It's an icky bandaid but it works. Here's the script in case anyone needs
to do the same thing:

#!/usr/bin/perl -w

$mail{From} = 'Automated monitoring <(E-Mail Removed)>';
$mail{To} = 'Support Desk<(E-Mail Removed)>';
$server = 'mail.eatme.net';

use Net::Telnet;
use Net:ing::External qw(ping);
use Mail::Sendmail;

if(ping(host => '192.168.168.168', count => 5, size => 16, timeout => 3)){
exit;
}
$telnet = new Net::Telnet ( Timeout=>10,
Errmode=>'die');
$telnet->open('7206-rtr.eatme.net');
$telnet->waitfor('/Username: $/i');
$telnet->print('tedm');
$telnet->waitfor('/Password: $/i');
$telnet->print('eatme');
$telnet->waitfor('/\>$/i');
$telnet->print('en');
$telnet->waitfor('/Password: $/i');
$telnet->print('eatme');
$telnet->waitfor('/\#$/i');
$telnet->print('clear crypto sa');
$telnet->print('');


$mail{Smtp} = $server;
$mail{Subject} = "Reinitialized crypto on 7206-rtr, message sent from
Mail::Sendmail version $Mail::Sendmail::VERSION ";

$mail{Message} = "On " . Mail::Sendmail::time_to_date() . " the Remote
customer Linksys router\n";
$mail{Message} .= "stopped responding, and crypto SA was reset on the
7206-rtr.eatme.net\n";
$mail{Message} .= "router. See http://vpn.biteme.com:8080/ for loginfo.\n";

if (sendmail %mail) {
print "content of \$Mail::Sendmail::log:\n$Mail::Sendmail::log\n";
if ($Mail::Sendmail::error) {
print "content of
\$Mail::Sendmail::error:\n$Mail::Sendmail::error\n ";
}
print "ok 2\n";
}
else {
print "\n!Error sending mail:\n$Mail::Sendmail::error\n";
print "not ok 2\n";
}

exit;


And of course, if anyone can make any suggestions for setting changes on the
Linksys or Cisco that
would be great.

Now that Cisco owns Linksys maybe they will be more interested in fixing
interoperability? (hint hint)

Thanks,

Ted Mittelstaedt
http://www.velocityreviews.com/forums/(E-Mail Removed)





 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
7206-dslam-adsl-7206 FLEngineer Cisco 0 05-08-2008 12:46 PM
Linksys BEFVP41 to Cisco Pix 506E mwells@bsacap.org Cisco 3 07-27-2005 05:27 PM
Linksys BEFVP41 -- a first look Walter Roberson Cisco 6 04-09-2005 06:39 AM
Re: Cisco VPN Client to Linksys VPN Router BEFVP41 paras_g@yahoo.com Cisco 0 02-07-2005 12:11 AM
Need help with IPSec tunnel periodically collapsing Ted Mittelstaedt Cisco 6 07-22-2004 04:20 AM



Advertisments